The Government says it has a policy on disclosing zero-days, but where are the documents to prove it?

By Andrew Crocker | EFF

We have known for some time that the U.S. intelligence and law enforcement community looks to find and exploit vulnerabilities in commercial software for surveillance purposes. As part of its reluctant, fitful transparency efforts after the Snowden leaks, the government has even officially acknowledged that it sometimes uses so-called zero-days. These statements are intended to reassure the public that the government nearly always discloses vulnerabilities to software vendors, and that any decision to instead exploit the vulnerability for intelligence purposes is a thoroughly considered one. But now, through documents EFF has obtained from a Freedom of Information Act (FOIA) lawsuit, we have learned more about the extent of the government’s policies, and one thing is clear: there’s very little to back up the Administration’s reassuring statements. In fact, despite the White House’s claim that it had “reinvigorated” its policies in spring 2014 and “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure,” none of the documents released in response to our lawsuit appear to be newer than 2010.

Last spring, the Office of the Director of National Intelligence (ODNI) issued a strong denial of press reports that the NSA knew about and exploited the Heartbleed vulnerability in the OpenSSL library. As part of that denial, the ODNI described the “Vulnerabilities Equities Process” (VEP), an “interagency process for deciding when to share vulnerabilities” with developers. EFF submitted a FOIA request to ODNI and NSA to learn more about the VEP and then sued to force the agencies to release documents.

ODNI has now finished releasing documents in response to our suit, and the results are surprisingly meager. Among the handful of heavily redacted documents is a one-page list of VEP “Highlights” from 2010. It briefly describes the history of the interagency working group that led to the development of the VEP and notes that the VEP established an office called the “Executive Secretariat” within the NSA. The only other highlight left unredacted explains that the VEP “creates a process for notification, decision-making, and appeals.”

Read full report via EFF.